16/Aug/2019
The implementation of the General Data Protection Regulation (GDPR) across European countries has been far from homogeneous – and it would be no surprise if large multinationals factored nations’ different stances on GDPR into their decisions on where to set up headquarters.
To compound matters, the European Union (EU) has done almost nothing to prepare for the likely flood of technology coming from China, a country with very different concepts of privacy, compared with the EU.
By the first anniversary of the implementation of GDPR (May 29, 2019), €56m in fines had been issued across Europe, but €50m of that was the single fine imposed on Google by France.
In terms of sanctions, France has taken the toughest stance. Not only did CNIL, the French data protection authority (DPA), fine Google €50m, it also fined Bouygues Telecom €250,000, Uber €400,000, Dailymotion €50,000 and Optical Center €250,000.
European countries have also demonstrated different strategies on penalties and they have installed different structures for implementing GDPR. In Germany, DPAs are organised on a German state level – but there is also a separate DPA at federal level, with jurisdiction over telecom and postal service companies. As a result, Germany has 17 data protection authorities, instead of just one.
Interpreting the regulations
Some European countries also disagree in their interpretations of aspects of GDPR. Austria’s DPA ruled that all a data controller has to do in response to a request for data deletion is to remove individual references to that data.
The most important difference in interpretation seems to lie in determining who imposes – and, ultimately, collects – the fines. When France’s CNIL issued its €50m fine on Google, it avoided the GDPR’s one-stop-shop rule that says a company will be fined in the country that hosts its headquarters – in Google’s case, this is the Republic of Ireland.
The CNIL argued that Google had no main base in the EU in relation to the fine in question, because all decisions concerning processing of data related to Android and Google accounts were made at Google’s US headquarters.
In contrast to France, many other EU countries have taken a softer approach, putting most of their efforts into educating companies and issuing warnings, rather than immediately imposing fines.
A report by DLA Piper on the number of breaches notified during the first eight months of GDPR indicates that the top three countries in terms of number of data breaches – the Netherlands, Germany and the UK – had almost twice as many breaches reported than in all other EU countries combined. DLA Piper reported that many organisations had notified authorities largely because they knew they could suffer heavy sanctions for not notifying.
However, what happens after they have reported a breach? DLA Piper says that the large number of notifications has created a backlog. As a result, many organisations have to wait a long time to find out whether or not action will be taken against them for reported breaches.
Given the disparate interpretation of GDPR across the EU countries, it is no wonder that data controllers are confused. So, too, are citizens. The many, many – and often confusing – data privacy messages that have appeared after May 2018 have certainly made using the internet more irritating.
“We need to simplify the message of GDPR,” said Giovanni Buttarelli, European data supervisor. “We need to invest more on training. Many citizens in the EU are not well informed about their rights.”
Forthcoming challenges
One of the other big issues to be addressed is how to handle technology coming in from outside the EU. Big data and artificial intelligence (AI) are likely to pose the biggest problems, especially given China’s growing role in these two technologies.
The EU has already invested a lot of effort in getting around the fact that the country where most of the data is stored – the US – has different views on data privacy than the EU. Thanks to bilateral agreements – with Safe Harbor, then Privacy Shield – EU-based data controllers feel safe in storing data on servers from certified US companies.
While the EU has done a good job of harmonising with the US, it may have to take a different approach for China. “In China, if you say you need privacy, it is interpreted to mean you have something to hide,” said Buttarelli. “The country has an entirely different approach to privacy, and that will clash with our views on privacy in the future.”
He added: “Today we are in a dialogue with Silicon Valley, and we have worked out a way to do business together in a way that ensures the protection of privacy in accordance with EU regulation. But by 2021 and 2022, the globalised Chinese systems will be prevalent. If they want to be operational in the EU, they need to have a dialogue with us.”
A more detailed article on this topic is available at Computer Weekly, via the link.
